Many modern software systems are assembled from components (“plugins”) provided by multiple third party vendors. Whether due to malice or mistake, such third-party components pose a security risk. To help a user protect sensitive information from abuse or problems caused by plugins, some software platforms aim to apply security policies to control a plugin's behavior.
However, the policies used in practice are often complex, and often also address various aspects of security, including, for example, role-based access control and information flow tracking. Reliably enforcing such policies is difficult, and reports of security vulnerabilities due to incorrect enforcement are common.